b"NATIONAL OCEANIC\nAND ATMOSPHERIC\nADMINISTRATION\nSignificant Security\nDeficiencies in NOAA\xe2\x80\x99s\n\t\nInformation Systems\nCreate Risks in Its\nNational Critical Mission\n\nFINAL REPORT NO. OIG-14-025-A\nJULY 15, 2014\n\n\n\nU.S. Department of Commerce\nOffice of Inspector General\nOffice of Audit and Evaluation\n\n\n\n\nFOR PUBLIC RELEASE\n\x0c                                                           UNITED STATES DEPARTMENT OF COMMERCE\n                                                           Office of Inspector General\n                                                           Washington, D.C. 20230\n\n\n\n\nJuly 15, 2014\n\nMEMORANDUM FOR: \t Dr. Kathryn Sullivan\n                  Under Secretary of Commerce for Oceans and Atmosphere\n\n\n\n\nFROM:\n                              A:~~ :::YAd~ L\n                              Assistant Inspector General for Systems Acquisition\n                               and IT Security\n\nSUBJECT:                      Significant Security Deficiencies in NOAA's Information Systems Create\n                                Risk in Its National Critical Mission\n                                Final Report No. OIG-14-025-A\n\nAttached is our final report of our audit of NOAA's information technology security program,\nwhich we conducted in accordance with the Federal Information Security Management Act.\nSpecifically, we evaluated information security controls and security-related documentation for\nfour National Environmental Satellite, Data, and Information Service (NESDIS) systems to\ndetermine whether key security measures adequately protect them. Additionally, we reviewed\nthe independent security control assessments-conducted in FY 2012 and FY 2013 through an\nintra-agency shared service agreement-of five National Weather Service (NWS) systems to\ndetermine whether the controls were adequately assessed.\n\nWe found that (I) information systems connected to NESDIS' critical satel lite ground support\nsystems increases the risk of cyber attacks, (2) NESDIS' inconsistent implementation of mobile\ndevice protections increases the likelihood of a malware infection, (3) critical security controls\nremain unimplemented in NESDIS' information systems, and (4) improvements are needed to\nprovide assurance that independent security control assessments are sufficiently rigorous.\n\nWe have summarized your agency's response in the report and included the formal response as\nappendix C. The final report will be posted on the OIG's website pursuant to section BM of the\nInspector General Act of 1978, as amended.\n\nIn accordance with Department Administrative Order 213-5, please provide us with your\naction plan within 60 days of the date of this memorandum. We appreciate the cooperation and\ncourtesies extended to us by your staff during our audit. If you have any questions or concerns\nabout this report, please do not hesitate to contact me at (202) 482-1855 or Dr. Ping Sun,\nDirector for IT security, at (202) 482-6121.\n\nAttachment\n\x0ccc: \t   Steve Cooper, Chief Information Officer\n        Mark Paese, Acting Assistant Administrator for Satellite and Information Services,\n             NOAA\n        Zach Goldstein, Acting Chief Information Officer, NOAA\n        Rod Turk, Director, Office of Cyber Security, and Chief Information Security Officer\n        Lawrence Reed, Director, Cyber Security Division, NOAA\n        Vanessa Griffin, Acting Chief Information Officer, NESDIS\n        Iftikhar Jamil, Assistant Chief Information Officer, NWS\n        Brian Doss, Audit Liaison, NOAA\n        Susan Schultz Searcy, Audit Liaison, Office of the Chief Information Officer\n\x0c                                                     Report In Brief                                        JULY 15, 2014\n\n                                       NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION\nBackground\n                                       Significant Security Deficiencies in NOAA\xe2\x80\x99s Information Systems Create\nThe National Oceanic and\nAtmospheric Administration\xe2\x80\x99s           Risk in Its National Critical Mission\n(NOAA\xe2\x80\x99s) information systems           OIG-14-025-A\nare crucial to its ability to relia-\nbly perform its national critical      WHAT WE FOUND\nmission. They provide hazard-\nous weather forecasts and              Information systems connected to NESDIS\xe2\x80\x99 critical satellite ground support systems increases the risk of cyber\nwarnings, which are essential in       attacks. The Polar-orbiting Operational Environmental Satellites\xe2\x80\x99 (POES\xe2\x80\x99) and Geostationary Operational\nprotecting life, property, and         Environmental Satellites\xe2\x80\x99 (GOES\xe2\x80\x99) mission-critical satellite ground support systems have interconnections\nthe nation\xe2\x80\x99s economy.                  with systems where the flow of information is not restricted, which could provide a cyber attacker with\n                                       access to these critical assets.\nThis information technology\n(IT) security audit focused on         NESDIS\xe2\x80\x99 inconsistent implementation of mobile device protections increases the likelihood of a malware infection.\nselect systems in two line             In our review of selected Windows components on four NESDIS systems, we found that (a)\noffices that support NOAA\xe2\x80\x99s            unauthorized mobile devices had been connected to POES, GOES, and Environmental Satellite Processing\ncritical mission: the National         Center (ESPC), and (b) GOES and ESPC did not consistently ensure that Microsoft Windows\xe2\x80\x99 AutoRun\nEnvironmental Satellite, Data,         feature was disabled.\nand Information Service                Critical security controls remain unimplemented in NESDIS\xe2\x80\x99 information systems. Our review of four NESDIS\n(NESDIS) and the National              information systems found that NESDIS did not (1) appropriately remediate vulnerabilities, (2) implement\nWeather Service (NWS).                 required remote access security mechanisms, and (3) implement the secure configuration settings control\nSpecifically, we evaluated infor-      on IT products.\nmation security controls and           Improvements are needed to provide assurance that independent security control assessments are sufficiently\nsecurity-related documenta-            rigorous. We found that 28 of 60 (47 percent) of the independent assessments of security controls have\ntion for four NESDIS systems           deficiencies and may not have provided NOAA\xe2\x80\x99s authorizing official with an accurate implementation\nto determine whether key               status of the system\xe2\x80\x99s security controls.\nsecurity measures adequately\nprotect them. Additionally, we         WHAT WE RECOMMEND\nreviewed the independent\n                                       That NESDIS\xe2\x80\x99 Assistant Administrator and NOAA\xe2\x80\x99s Chief Information Officer:\nsecurity control assessments\nof five NWS systems to deter-          1.\t Conduct a review to determine risks posed by NESDIS\xe2\x80\x99 restricted systems\xe2\x80\x99 current interconnections\nmine whether the controls                  and ensure that USAF identifies all of DMSP\xe2\x80\x99s interconnections\nwere adequately assessed.\n                                       2.\t Document and convey to NOAA senior management the risks identified with these interconnections\nWhy We Did This Review                 3.\t Require that interconnected systems have completed control assessments and are authorized to\n                                           operate before establishing an interconnection\nThe Federal Information Se-\ncurity Management Act of               4.\t Pursue USAF commitment to conduct security assessments on DMSP\n2002 (FISMA) requires agen-            5.\t Prevent components\xe2\x80\x99 moving between the GOES and SWPC networks for maintenance activities\ncies to secure their infor-\nmation technology (IT) sys-            6.\t Implement security mechanisms to protect against the use of unauthorized mobile devices\ntems through the use of cost-          7.\t Determine a feasible remediation timeframe for applying patches to POES, GOES, and ESPC\neffective management, opera-\ntional, and technical controls.        8.\t Ensure appropriate priority to remediation of high-risk vulnerabilities in the required timeframe. If\n                                           remediation is not feasible, ensure documentation of vulnerabilities and implementation of\nIn addition, FISMA requires\n                                           compensating controls.\ninspectors general to evalu-\nate agencies\xe2\x80\x99 information              9.\t Ensure (a) information system compliance with all applicable remote access and telework policies and\nsecurity programs and prac-                (b) implementation of two-factor authentication\ntices, by assessing a repre-\n                                       10.Ensure NESDIS telework policy compliance with Department policy on personal devices\nsentative subset of agency\nsystems, and the results are           11.Implement necessary security mechanisms to secure against remote access via personal computers\nreported to the Office of\nManagement and Budget                  12.Ensure that appropriate attention is given to implementing required secure configuration settings in a\n(OMB), the Department of                  timely manner and continue the implementation\nHomeland Security, and Con-            That NOAA\xe2\x80\x99s Chief Information Officer:\ngress annually.\n                                       13. Develop a quality control process for assurance that security controls are appropriately assessed\n                                          before the authorization package is assembled and submitted to the authorizing official\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                                          OFFICE OF INSPECTOR GENERAL\n\n\nContents\n\nIntroduction .......................................................................................................................................................1\n\nFindings and Recommendations ....................................................................................................................3\n\n   I.   Information Systems Connected to NESDIS\xe2\x80\x99 Critical Satellite Ground Support Systems\n\t\n   Increases the Risk of Cyber Attacks ........................................................................................................3\n\n       A. POES Is Interwoven with a Department of Defense Information System, Putting POES \n\n       at Significant Risk ......................................................................................................................................3\n\n       B. Administration of SWPC Components Within the GOES System Introduces an \n\n       Unnecessary Security Risk......................................................................................................................6\n\n   II. NESDIS\xe2\x80\x99 Inconsistent Implementation of Mobile Device Protections Increases the \n\n   Likelihood of a Malware Infection.............................................................................................................8\n\n   III.     Critical Security Controls Remain Unimplemented in NESDIS\xe2\x80\x99 Information Systems .... 10\n\n       A. NESDIS\xe2\x80\x99 Ineffective Vulnerability Remediation Activities Leaves Its Mission-Critical \n\n       Assets Vulnerable to Compromise ................................................................................................... 10\n\n       B. NESDIS\xe2\x80\x99 Remote Access Deficiencies Leave Its Information Systems Vulnerable to\n\t\n       Cyber Attacks ........................................................................................................................................ 11\n\n       C. NESDIS\xe2\x80\x99 Critical Mission Support Systems Continue to Lack Secure Configuration \n\n       Settings..................................................................................................................................................... 13\n\n   IV. Improvements Are Needed to Provide Assurance That Independent Security Control \n\n   Assessments Are Sufficiently Rigorous................................................................................................. 15\n\nSummary of Agency and OIG Comments................................................................................................ 17\n\nAppendix A: Objectives, Scope, and Methodology................................................................................ 19\n\nAppendix B: List of Acronyms and Abbreviations ................................................................................. 21\n\nAppendix C: Agency Response................................................................................................................... 22\n\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A\n\x0cU.S. DEPARTMENT OF COMMERCE                                           OFFICE OF INSPECTOR GENERAL\n\n\nIntroduction\n\nPart of the mission of the National Oceanic and Atmospheric Administration (NOAA) is to\nunderstand and predict changes in weather, oceans, climate, and coasts and to share that\nknowledge and information with other agencies and the public. NOAA\xe2\x80\x99s information systems\nare crucial to its ability to reliably perform its national critical mission. They provide hazardous\nweather forecasts and warnings, which are essential in protecting life, property, and the nation\xe2\x80\x99s\neconomy. Our audit focused on select systems in two line offices that support NOAA\xe2\x80\x99s critical\nmission: the National Environmental Satellite, Data, and Information Service (NESDIS) and the\nNational Weather Service (NWS).\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies to secure\ntheir information technology (IT) systems through the use of cost-effective management,\noperational, and technical controls. The goal is to provide adequate security commensurate\nwith the risk and extent of harm resulting from the loss, misuse, or unauthorized access to or\nmodification of information collected or maintained by or on behalf of an agency. In addition,\nFISMA requires inspectors general to evaluate agencies\xe2\x80\x99 information security programs and\npractices, by assessing a representative subset of agency systems, and the results are reported\nto the Office of Management and Budget (OMB), the Department of Homeland Security, and\nCongress annually.\nAs part of an overall assessment of NOAA\xe2\x80\x99s IT security program, we evaluated information\nsecurity controls and security-related documentation for four high-impact NESDIS systems to\ndetermine whether key security measures adequately protect them (see table 1).\n\n                       Table 1: NESDIS Information Systems Reviewed\n\n System Name                                                 Primary Function\n\n                                        Satellite ground support system that provides computing\n Polar-orbiting Operational\n                                        resources necessary to control and collect data for weather\n Environmental Satellites (POES)\n                                        imagery data from POES satellites.\n                                        Satellite ground support system that provides computing\n Geostationary Operational\n                                        resources necessary to command and control and collect data\n Environmental Satellites (GOES)\n                                        for weather imagery data from GOES satellites.\n                                        NOAA\xe2\x80\x99s data-processing system for the nation\xe2\x80\x99s environmental\n                                        satellite data received from POES, GOES, and the European\n                                        Meteorological Operational Satellite environmental satellites.\n Environmental Satellite\n Processing Center (ESPC)               ESPC distributes environmental data products to the National\n                                        Weather Service (NWS); the primary forecast centers of the\n                                        U.S. Navy and U.S. Air Force; and international forecast\n                                        centers, academia, and private-sector entities.\n Search and Rescue Satellite            SARSAT relays distress signals\xe2\x80\x94generated by aviators,\n Aided Tracking (SARSAT)                mariners, and land-based users\xe2\x80\x94to search and rescue services.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                      1\n\x0cU.S. DEPARTMENT OF COMMERCE                                             OFFICE OF INSPECTOR GENERAL\n\nAdditionally, we reviewed the Federal Aviation Administration\xe2\x80\x99s (FAA) independent security\ncontrol assessment\xe2\x80\x94conducted in fiscal year (FY) 2012 and FY 2013 through an interagency\nshared service agreement\xe2\x80\x94of five high- and moderate-impact NWS systems to determine if the\ncontrols were adequately assessed (see table 2).\n\nFor further details regarding the objectives, scope, and methodology of this audit, see\nappendix A.\n\n                         Table 2: NWS Information Systems Reviewed\n\n System Name                                                 Primary Function\n\n                                       Enhances aviation safety by issuing warnings, forecasts and\n                                       analyses of hazardous weather and originates operational\n Aviation Weather Center               forecasts of weather conditions predicted to affect domestic\n (AWC)                                 and international aviation. The Center also identifies existing or\n                                       imminent weather hazards to aircraft in flight and creates\n                                       warnings for transmission to the aviation community.\n\n                                       Provides real-time monitoring and forecasting of solar and\n Space Weather Prediction              geomagnetic events, is used to conduct research in solar-\n Center (SWPC)                         terrestrial physics, and develops techniques for forecasting solar\n                                       and geophysical disturbances.\n\n                                       Provides tornado and severe weather watches for the\n Storm Prediction Center (SPC)         contiguous United States and forecasts the risk of severe\n                                       thunderstorms, tornadoes, and conditions favorable for\n                                       wildfires in the contiguous United States.\n                                       Issues forecasts, advisories, watches, and warnings for tropical\n National Hurricane Center             cyclones over the Atlantic basin (including the Gulf of Mexico\n (NHC)                                 and Caribbean), Northeast Pacific basins, and backs up the\n                                       Central Pacific Hurricane Center for tropical cyclone forecasts.\n\n National Centers for                  Provides forecast, guidance, and analysis products and services\n Environmental Prediction              to support the daily public forecasting activities of the National\n (NCEP) Central Operations             Weather Service and provides tailored support to other\n                                       government agencies in emergency situations.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                          2\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                      OFFICE OF INSPECTOR GENERAL\n\n\nFindings and Recommendations\n\nAs part of our annual FISMA work, we reviewed NOAA\xe2\x80\x99s IT security program and critical\nsecurity controls in place to protect its mission capabilities. We found that (1) the flow of\ninformation between NESDIS\xe2\x80\x99 critical satellite ground support systems and other information\nsystems puts its critical assets at risk of cyber attacks, (2) unauthorized mobile devices increase\nthe risk of a malware infection, (3) NESDIS continues to have unimplemented critical security\ncontrols, and (4) improvements are needed to provide assurance that independent security\ncontrol assessments are sufficiently rigorous.\n\n    I.\t   Information Systems Connected to NESDIS\xe2\x80\x99 Critical Satellite Ground\n\t\n          Support Systems Increases the Risk of Cyber Attacks\n\n\n     Restricting the flow of information between interconnected systems is a significant part of\n     NESDIS\xe2\x80\x99 IT security strategy to protect its mission critical assets\xe2\x80\x94POES and GOES satellite\n     ground support systems\xe2\x80\x94from cyber attacks. However, we found that both POES and\n     GOES have interconnections with systems where the flow of information is not restricted,\n     which could provide an attacker with access to these critical assets. Although system\n     interconnections can facilitate interagency and external communications and services, such\n     connections can also pose significant risk to each interconnected information system (i.e.,\n     more easily allow malware to spread, or attackers to use one system to access another).\n\n     A.\t POES Is Interwoven with a Department of Defense Information System, Putting POES at\n         Significant Risk\n\n          Even though NESDIS asserted POES has restricted the flow of information with other\n          systems, we found that POES is actually interwoven with U.S. Air Force\xe2\x80\x99s (USAF)\n          Defense Meteorological Satellite Program (DMSP) to the point where they are virtually\n          one system. Specifically, there is no physical or logical separation between the systems\n          (i.e., the systems operate on the same network and data can flow between the systems);\n          they share support personnel, and they share some of the same support services and IT\n          security controls (e.g., access control via a common Microsoft Windows Active\n          Directory domain). This interweaving means that deficiencies in one system\xe2\x80\x99s security\n          posture will drastically affect the other system\xe2\x80\x99s security.\n\n          Unfortunately, because USAF and NOAA disputed for several years (from 2006 to\n          2010) who was responsible for DMSP\xe2\x80\x99s security, neither organization conducted\n          security assessments of DMSP. Ultimately, USAF and NOAA determined in 2010 that\n          USAF was responsible for DMSP. However, USAF has yet to fulfill its responsibilities1 by\n          determining DMSP\xe2\x80\x99s security posture and ensuring that the system meets the\n          Department\xe2\x80\x99s security requirements (see exhibit 1 for a timeline).\n\n1\n USAF is responsible for ensuring that (1) DMSP is appropriately authorized, (2) DMSP meets the Department of Commerce\xe2\x80\x99s security\nrequirements, and (3) security testing is conducted. See memo from Col. Alec M. Robinson, USAF Program Executive Officer for Environmental\nSatellites, to NOAA Assistant Administrator for Satellite and Information Services, May 13, 2010, on DMSP Ground Service Life Extension\nProgram (GSLEP).\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                            3\n\x0cU.S. DEPARTMENT OF COMMERCE                                                 OFFICE OF INSPECTOR GENERAL\n\n        DMSP presents a significant security risk to POES. Without sufficient assessments,\n        both USAF and NOAA have very little knowledge of DMSP\xe2\x80\x99s security posture or how\n        DMSP\xe2\x80\x99s deficiencies affect the intertwined systems. However, we have identified risk\n        factors that put the POES system at significant risk of a compromise, which could have\n        an impact on NOAA\xe2\x80\x99s mission capabilities. Specifically:\n\n             \xef\x82\xb7    NESDIS cannot fully understand POES\xe2\x80\x99 security risks because DMSP\xe2\x80\x99s interconnections\n                  with other information systems have not been assessed. We identified an\n                  interconnection that presents significant risk to POES through its interweaving\n                  with DMSP. Specifically, DMSP has an interconnection with another NOAA\n                  system\xe2\x80\x94one that also has significant security deficiencies of its own\xe2\x80\x94that is\n                  connected to the Internet. This other system\xe2\x80\x99s connection to the Internet could\n                  allow an attacker to gain remote access to DMSP and, through its interweaving\n                  with DMSP, to POES. The existence of this interconnection was not conveyed in\n                  POES\xe2\x80\x99 security authorization package to NOAA management. Consequently,\n                  NOAA management did not factor this significant risk into its subsequent risk-\n\n\n                                  Exhibit 1. Timeline of the POES-DMSP Relationship\n           1994       Presidential Directive (NSTC-2) issued. It places NOAA in charge of combining\n                      POES and DMSP, with the goal of reducing duplicative capabilities.\n           1998       NOAA completes the interweaving of POES and DMSP and takes responsibility\n                      for DMSP. (NOAA continues to operate DMSP until 2010.)\n           2003       NOAA grants DMSP a 3-year authorization to operate (ATO).\n           2006       DMSP\xe2\x80\x99s ATO expires, and NOAA contests its responsibility for DMSP. The\n                      dispute continues until 2010. No security assessments or authorizations occur\n                      during this time period.\n           2010       USAF resumes responsibility for DMSP and grants an ATO without assessing the\n                      system\xe2\x80\x99s security posture.\n           2011       USAF and NOAA again dispute responsibility for DMSP\xe2\x80\x99s security posture and\n                      USAF does not grant an ATO for DMSP nor conducts security assessments.\n           2012       NESDIS officially acknowledges POES and DMSP are interwoven. USAF again\n                      does not conduct an assessment of DMSP\xe2\x80\x99s security posture. Instead, it grants\n                      DMSP an ATO based on POES\xe2\x80\x99 security posture.\n           2013       OIG begins to review POES and GOES security postures as part of its audit of\n                      NOAA\xe2\x80\x99s IT security program.\n                      USAF again does not conduct an assessment of DMSP\xe2\x80\x99s security posture. Instead,\n                      it grants DMSP an ATO based on POES\xe2\x80\x99 security posture.\n\n           Source: OIG analysis\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                          4\n\x0cU.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n                 based authorization decision. DMSP\xe2\x80\x99s interconnection significantly increases\n                 POES\xe2\x80\x99 risk of a compromise and contradicts NESDIS\xe2\x80\x99 assertions that risk to its\n                 systems was decreased by restricting the flow of information between POES and\n                 its interconnected systems.\n\n             \xef\x82\xb7\t Limited assessments identified significant security deficiencies within DMSP. Even\n                though DMSP\xe2\x80\x99s current security posture is mostly unknown, significant security\n                vulnerabilities were identified by NESDIS\xe2\x80\x99 security testing of POES\xe2\x80\x99 components\n                in FY 2013, and fixes for some of these vulnerabilities have been available for a\n                decade or more. NESDIS\xe2\x80\x99 assessors inadvertently scanned DMSP components\n                and identified serious vulnerabilities that could be easily exploited by an attacker\n                (e.g., weak or default passwords and operating system vulnerabilities with well\n                documented exploits). The presence of such vulnerabilities indicates a significant\n                vulnerability remediation deficiency. Given the level of integration between the\n                two systems, we are concerned that this deficiency is putting both of them at\n                increased risk.\n\n             \xef\x82\xb7\t POES will remain interwoven with DMSP, and DMSP\xe2\x80\x99s security posture will remain\n                deficient for some time. Presently, NESDIS does not anticipate completing an initial\n                plan until the end of FY 2014 and has asserted that if funding is not available it\n                will abandon any corrective actions and accept the risks of leaving the systems\n                interwoven. Further, USAF does not plan to conduct an assessment of DMSP\xe2\x80\x99s\n                security posture until it completes a technology refresh in 2016 (i.e., replace\n                DMSP\xe2\x80\x99s legacy hardware and software components). However, there is doubt\n                that the refresh will occur because of the USAF\xe2\x80\x99s funding constraints.\n\n        We are concerned that the necessary corrective actions to separate these systems will\n        not occur for several more years; thus, the systems would remain interwoven and at\n        increased risk. Further, without an assessment to understand (1) how POES and DMSP\n        are interwoven, (2) the risks to POES, and (3) DMSP\xe2\x80\x99s security posture, USAF and\n        NESDIS will not understand the risks to either system and cannot develop an effective\n        plan to address the risks and separate the two systems.\n\n        NESDIS cannot adequately convey to NOAA management the risks to POES.\n        NESDIS can neither accurately determine nor appropriately convey POES\xe2\x80\x99 security\n        posture, nor the risk level associated with its interweaving with DMSP, because it does\n        not understand all the risks associated with DMSP\xe2\x80\x99s security posture and\n        interconnections. For example, the NESDIS assessors who reviewed POES could not\n        effectively assess the system\xe2\x80\x99s security posture because the boundaries between POES\n        and DMSP components were so poorly defined (i.e., what components belonged with\n        which system). Because of this, the assessors could not make an accurate determination\n        of POES\xe2\x80\x99 security posture without assessing both POES and DMSP. To date, no such\n        assessment has been undertaken.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                          5\n\x0cU.S. DEPARTMENT OF COMMERCE                                         OFFICE OF INSPECTOR GENERAL\n\n        Although POES and DMSP have been interwoven for years, it was not until POES\xe2\x80\x99\n        March 2012 authorization briefing that NESDIS conveyed to NOAA management that\n        DMSP increased POES\xe2\x80\x99 risk of a compromise and began officially including this risk in the\n        Department\xe2\x80\x99s risk tracking system. Even though NESDIS did not understand all the risks\n        and their potential impacts, it conveyed to NOAA management that POES\xe2\x80\x99 interweaving\n        with DMSP represented a medium risk level (i.e., not implementing security mechanisms\n        on POES presented a medium risk of compromise).\n\n        Further, POES staff asserted that firewalls have been installed to prevent unwanted\n        intrusion, thus mitigating some of the risk. However, with the two systems being closely\n        interwoven and sharing resources (e.g., printers, routers, log servers, and access\n        control), such firewalls will not protect POES from an internal threat originating from\n        DMSP. We believe POES is not protected as NESDIS intended. This puts POES\xe2\x80\x99\n        capabilities, which support NOAA\xe2\x80\x99s national critical mission, at risk.\n\n    B.\t Administration of SWPC Components Within the GOES System Introduces an Unnecessary\n        Security Risk\n\n        NESDIS operates a network extension at the NWS\xe2\x80\x99 Boulder, Colorado, location that\n        directly connects to the primary GOES ground support system network. This extension\n        hosts multiple server components maintained by SWPC, providing a proprietary one-\n        way link that is designed to move space weather data from GOES to SWPC. We found\n        that SWPC\xe2\x80\x99s current system maintenance process, used to remediate security\n        vulnerabilities and deploy new software on components within the GOES system,\n        presents undue risk. Specifically:\n\n             \xef\x82\xb7\t To perform the maintenance activities, SWPC staff disconnects the components\n                from the GOES extension and reconnects the components to the local SWPC\n                network. Once completed, the components are then reconnected to the GOES\n                extension. Should the components contract a malware infection while on the\n                SWPC network, the infection could spread from the returned components on\n                the GOES extension and into the GOES ground support system.\n\n             \xef\x82\xb7\t SWPC has a connection to the Internet through an interconnection with\n                another NWS information system. This Internet connection could allow an\n                attacker to compromise SWPC and, through SWPC, gain access to the GOES\n                extension.\n\n        Although the exchange of weather data is governed by an interconnection agreement\n        between GOES and SWPC, we found that neither side has appropriately considered the\n        risks associated with the current maintenance process. We believe that SWPC\xe2\x80\x99s\n        maintenance process violates NESDIS\xe2\x80\x99 intended protection of the GOES information\n        system. Since GOES maintains other components it owns that reside on the network\n        extension, GOES should have the capability to also maintain these components.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                   6\n\x0cU.S. DEPARTMENT OF COMMERCE                                       OFFICE OF INSPECTOR GENERAL\n\n\n    Recommendations\n\n    We recommend that NESDIS\xe2\x80\x99 Assistant Administrator and NOAA\xe2\x80\x99s Chief Information\n    Officer:\n\n        1.\t Conduct a review to determine the risks posed by NESDIS\xe2\x80\x99 restricted systems\xe2\x80\x99\n            current interconnections and ensure that the USAF identifies all of DMSP\xe2\x80\x99s\n            interconnections with other information systems.\n\n        2.\t Document and convey to NOAA senior management the risks identified with these\n            interconnections.\n\n        3.\t Require that interconnected systems have completed control assessments and are\n            authorized to operate before establishing an interconnection.\n\n        4.\t Pursue USAF\xe2\x80\x99s commitment that DMSP meets Department of Commerce\xe2\x80\x99s security\n            requirements and conduct security assessments, as outlined in a memorandum from\n            the USAF to NOAA on May 13, 2010.\n\n        5.\t Prevent components from moving between the GOES network and SWPC network\n            for maintenance activities.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                7\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                         OFFICE OF INSPECTOR GENERAL\n\n\n    II.\t   NESDIS\xe2\x80\x99 Inconsistent Implementation of Mobile Device Protections\n           Increases the Likelihood of a Malware Infection\n\n      We reviewed a selection of Windows components, such as workstations and servers, on\n      each of the four NESDIS systems to determine if the necessary security protections are in\n      place to prevent unauthorized mobile device usage (e.g., USB flash drives and smartphones\n      connecting to system components). Specifically, we found that\n\n           \xef\x82\xb7\t Unauthorized mobile devices had been connected to POES, GOES, and ESPC,\n              because each system lacked the necessary protection (see table 3, next page).\n              Mobile devices can carry malware that, when plugged into a workstation or server,\n              could execute malicious code residing on the device and lead to a compromised\n              system. Accordingly, there has been a long-standing requirement that agencies\n              restrict the use of mobile devices. Implementing required mobile device security\n              mechanisms helps prevent the spread of malware and limits the risk of a\n              compromise of critical assets. Further, mobile devices are one of the means by\n              which an attacker can access and compromise a system with restricted\n              interconnections, such as NESDIS\xe2\x80\x99 satellite ground-support systems POES and\n              GOES.\n\n           \xef\x82\xb7\t GOES and ESPC did not consistently ensure that Microsoft Windows\xe2\x80\x99 AutoRun\n              feature was disabled.2 This is a critical element of mobile device security.\n              According to a recent study by Microsoft, 26 percent of successful malware\n              propagation was attributed to USB devices taking advantage of Microsoft Windows\xe2\x80\x99\n              AutoRun feature, which allowed malicious code to automatically execute when users\n              plugged their infected mobile devices into computers.3 In 2009, the U.S. Computer\n              Emergency Readiness Team4 (US-CERT) issued an alert regarding AutoRun,\n              emphasizing that disabling it can help prevent the spread of malicious code.5\n\n      Although SARSAT has the necessary protections to prevent the use of unauthorized mobile\n      devices, POES, GOES, and ESPC do not. As it only takes one infected mobile device to\n      spread malware and allow an attacker access to restricted systems like POES and GOES,\n      NESDIS\xe2\x80\x99 critical components are at increased risk of compromise.\n\n\n\n\n2\n  Autorun is a technology used to start some programs or enhanced content (such as video content on mobile device) automatically when a \n\ndevice is connected to a computer.\n\n3\n  Microsoft. Microsoft Security Intelligence Report Volume 11 [Online], download.microsoft.com/download/0/3/3/0331766E-3FC4-44E5-B1CA-\n2BDEB58211B8/Microsoft_Security_Intelligence_Report_volume_11_English.pdf (accessed September 16, 2013).\n\n4\n  US-CERT, a part of the Department of Homeland Security, leads efforts to improve the nation\xe2\x80\x99s cybersecurity posture, coordinate cyber\n\t\ninformation sharing, and proactively manage cyber risks to the nation.\n\n5\n  US CERT. Microsoft Windows Does Not Disable AutoRun Properly [Online], www.us-cert.gov/ncas/alerts/TA09-020A (accessed September 20 2013).\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                               8\n\x0cU.S. DEPARTMENT OF COMMERCE                                               OFFICE OF INSPECTOR GENERAL\n\n      Table 3. Review of NESDIS\xe2\x80\x99 Mobile Device Usage and Security Protections \n\n          Implemented on a Selection of Microsoft Windows Components\n\n                                                      NESDIS Systems Reviewed\n             Issue\n                                       POES              GOES              ESPC                SARSAT\n     Percentage of\n     components with\n     recent                              41%                36%                   48%            0%\n     unauthorized USB\n     device activity\n     Percentage of\n     components with                     0%                 68%                   29%            0%\n     AutoRun enabled\n     Types of devices           \xe2\x80\xa2 USB flash drives   \xe2\x80\xa2 USB flash drives   \xe2\x80\xa2 USB flash drives\n                                                                                                N/A\n     identified                 \xe2\x80\xa2 smartphones        \xe2\x80\xa2 smartphones        \xe2\x80\xa2 smartphones\n    Source: OIG analysis\n\n    Recommendation\n\n    We recommend that NESDIS\xe2\x80\x99 Assistant Administrator and NOAA\xe2\x80\x99s Chief Information\n    Officer:\n\n        6.\t Implement security mechanisms to protect against the use of unauthorized mobile\n            devices.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                      9\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                          OFFICE OF INSPECTOR GENERAL\n\n\n    III.\t   Critical Security Controls Remain Unimplemented in NESDIS\xe2\x80\x99 Information\n            Systems\n\n       Our review of the four NESDIS information systems (POES, GOES, ESPC, and SARSAT)\n       identified that NESDIS continues to struggle to implement fundamental security\n       requirements. Specifically, NESDIS did not (1) appropriately remediate vulnerabilities, (2)\n       implement required remote access security mechanisms, and (3) implement the secure\n       configuration settings control on IT products (e.g., operating systems, databases, and web\n       servers).\n\n       A.\t NESDIS\xe2\x80\x99 Ineffective Vulnerability Remediation Activities Leaves Its Mission-Critical Assets\n           Vulnerable to Compromise\n\n            Numerous high-risk vulnerabilities remain in NESDIS\xe2\x80\x99 systems because of its deficient\n            vulnerability remediation practices. High-risk vulnerabilities may provide an attacker\n            with immediate access into a computer system, such as allowing remote execution of\n            malicious commands.\n\n            Three of the four systems reviewed (POES, GOES, and ESPC) have a significant number\n            of vulnerabilities that have not been remediated. Specifically, our review of each\n            system\xe2\x80\x99s vulnerability scans6 found that:\n\n                \xef\x82\xb7\t POES, GOES, and ESPC have thousands of vulnerabilities, where some of the\n                   vulnerabilities in the software have been publicly disclosed for as long as 13 years\n                   (see table 4). The older the vulnerability, the more likely exploits have been\n                   incorporated into common hacking toolkits, making it much easier for even an\n                   unskilled attacker to compromise a system.\n\n                \xef\x82\xb7\t ESPC and POES have not remediated 24 percent and 50 percent, respectively, of\n                   the high-risk vulnerabilities7 identified by the OIG\xe2\x80\x99s FY 2010 vulnerability scans.8\n\n            Timely vulnerability management has been a security requirement for many years.9\n            NESDIS asserted that, to meet this requirement, its staff follows a vulnerability\n            management process wherein they perform credentialed, quarterly scans of each system\n            and extensively test patches for software flaws (i.e., ensuring that the patch will not\n\n\n\n\n6\n  At the time of our analysis, we selected each system\xe2\x80\x99s most recent vulnerability scan to determine the system\xe2\x80\x99s current vulnerabilities.\n7\n  The percentage of unremediated vulnerabilities references unique vulnerabilities within the environment, not specific to a system component.\n8\n  U.S. Department of Commerce, Office of Inspector General, November 15, 2010. Office of the Secretary: Federal Information Security\nManagement Act Audit Identified Significant Issues Requiring Management Attention, final report no. OIG-11-012-A. Washington, DC: Commerce\nOIG.\n9\n  National Institute of Standards and Technology, February 2005. Recommended Security Controls for Federal Information Systems, NIST Special\nPublications 800-53 Rev. 3. Gaithersburg, MD.\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                               10\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                            OFFICE OF INSPECTOR GENERAL\n\n                           Table 4: Unremediated High-Risk Vulnerabilities Identified\n                                            on NESDIS\xe2\x80\x99 Systems\n                                                                    NESDIS Systems Reviewed\n            Time                    POES                            GOES                ESPC                                     SARSAT\n            framea         Unique                          Unique                        Unique                           Unique\n                            Vul.b        Instancesc         Vul.         Instances        Vul.          Instances          Vul.        Instances\n            1990\xe2\x80\x93\n            1999                9               36              0                0            12             139              2              2\n            2000\xe2\x80\x93\n            2009             203             1,576             47          1,221            548            7,368              0              0\n            2010\xe2\x80\x93\n            2012d            697             5,639           251           4,080          2,063          42,968             94            197\n            Total            909           7,251             298           5,301          2,623          50,475             96            199\n           Source: OIG analysis\n\n           a\n              Time frame is when the vulnerability was identified in the software.\n\n           b.\n              Unique vulnerabilities is a total number of the distinct vulnerabilities for a specified timeframe on the\n           system.\n           c.\n              Instances are the total number of vulnerabilities on a system for a specified timeframe.\n           d.\n              Since the scans we reviewed occurred at the beginning of 2013, the vulnerabilities related to 2013 were\n           not included.\n           cause software to crash) before applying them. However, NESDIS staff admitted that\n           they do not follow their own vulnerability remediation process. Specifically,\n\n                \xef\x82\xb7\t Staff claimed that they are unable to deploy software and operating system\n                   security patches to POES, GOES, and ESPC within the approved patch cycle.10\n\n                \xef\x82\xb7\t Staff from three of four NESDIS systems (POES, GOES, and ESPC) indicated that\n                   they do not track patches that cannot be applied to system components. This\n                   not only results in unpatched components, but it also leaves NESDIS with an\n                   inaccurate understanding of security risks within each system.11\n\n           As identified in findings I and II, NESDIS\xe2\x80\x99 systems are vulnerable to external attacks via\n           unauthorized USB devices and system interconnections. Further, the presence of\n           numerous high-risk vulnerabilities increases the risk that these systems could be\n           successfully compromised.\n\n     B.\t NESDIS\xe2\x80\x99 Remote Access Deficiencies Leave Its Information Systems Vulnerable to Cyber Attacks\n\n           Both ESPC and SARSAT\xe2\x80\x94the two systems we reviewed that allow remote access\xe2\x80\x94lack\n           two-factor authentication and do not have sufficient mechanisms to restrict the use of\n           personal computers.\n\n10\n   NESDIS increased the remediation timeframe for GOES from the Department\xe2\x80\x99s required 30 days to 120 days to allow for more rigorous\ntesting of software patches.\n11\n   In some instances, applying patches to fix a software flaw can affect a system\xe2\x80\x99s operations (such as rendering custom software inoperable) or\nhave other adverse effects. If a patch cannot be applied, compensating controls are identified that will mitigate the risks of operating with the\nvulnerability. However, NESDIS did not have evidence of this process being applied in its remediation activities.\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                                    11\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                        OFFICE OF INSPECTOR GENERAL\n\n          NESDIS\xe2\x80\x99 information systems lack the required two-factor authentication\n          necessary to secure remote access to its critical assets. We found that ESPC and\n          SARSAT12 have not implemented two-factor authentication for remote access. Without\n          two-factor authentication, stolen credentials with administrative privileges could allow\n          an attacker full access to the information system. For example, use of a secure token\n          (e.g., a physical form of identification that is more difficult for an attacker to acquire)\n          provides a second, stronger authentication element\xe2\x80\x94in addition to basic authentication\n          mechanisms such as a username and password\xe2\x80\x94to the remote access process. As\n          introduced in finding I, an attacker with access to one system poses a threat to other\n          interconnected systems.\n\n          Implementation of two-factor authentication is a government-wide requirement for\n          high-impact systems. Owing to resource constraints, NESDIS has chosen to forgo this\n          requirement at this time. Further, NESDIS has not developed plans to implement the\n          requirement, nor is it clear when NESDIS will comply.\n\n          NESDIS did not follow the Department\xe2\x80\x99s requirement to restrict the use of\n          personal computers for remote access. As personal computers are not required to\n          adhere to Department policy, there is a distinct lack of assurance that these computers\n          have the security necessary to protect the Department\xe2\x80\x99s information systems and data.\n          Accordingly, the Department has expressly prohibited the use of personal computers\n          for remotely accessing information systems for several years.13 However, NESDIS does\n          not restrict personal computer use; instead allowing personal computer use based on\n          operational need, including remote administration of an information system. Specifically,\n          we found:\n\n                \xef\x82\xb7\t NESDIS information systems lack the necessary security mechanisms to prohibit\n                   personal computer use. ESPC and SARSAT asserted that appropriate remote\n                   access security mechanisms, including restricting personal computers, are\n                   implemented. However, we found the systems lack the necessary technical\n                   enforcement mechanisms to monitor for and stop personal computers from\n                   remotely accessing the information systems (e.g., checking remote connections\n                   to identify and restrict to authorized computers only).\n\n                \xef\x82\xb7\t NESDIS has experience with the perils of allowing personally owned devices access to\n                   its systems. In a FY 2013 cyber incident, an attacker exfiltrated data from a\n                   NESDIS system to a suspicious external IP address via the remote connection\n                   established with a personal computer. The NOAA Computer Incident Response\n                   Team determined that the personal computer was likely infected with malware,\n                   but NOAA could not pursue the investigation because it involved a personal\n                   device, not government equipment (i.e., the owner of the personal computer,\n                   even though a NESDIS contractor, did not give NOAA permission to perform\n                   forensic activities on the personal computer). This incident highlights the risk of\n12\n   SARSAT has a waiver for two-factor authentication as it applies to its public user base. However, we are concerned with its system\n\nadministrators, contractors, and other local users remotely accessing the system, for which that requirement still applies.\n\n13\n   Department policy specifies that personal computers are only allowed to access Web-based email services and select secure Web portals.\n\nU.S. Department of Commerce, February 2013, \xe2\x80\x9cTelework Program.\xe2\x80\x9d\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                                12\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                     OFFICE OF INSPECTOR GENERAL\n\n                     using personal computers to remotely access government information systems,\n                     as well as hindrances to incident response efforts.\n\n               \xef\x82\xb7\t NESDIS\xe2\x80\x99 current telework policy does not provide critical guidance on the appropriate\n                  use of personal computers. Although NESDIS asserts that its policies and staff\n                  follow the Department\xe2\x80\x99s policies, we found that NESDIS\xe2\x80\x99 telework policy is\n                  ambiguous and contradicts the Department\xe2\x80\x99s telework policy. Specifically,\n                  NESDIS\xe2\x80\x99 policy does not specify under what circumstances personal computers\n                  are authorized to remotely access NESDIS\xe2\x80\x99 information systems, nor who may\n                  do so. Consequently, NESDIS\xe2\x80\x99 staff does not have clear guidance on this matter.\n                  By allowing access by personal computers, NESDIS is jeopardizing the security of\n                  its information systems.\n\n     C. NESDIS\xe2\x80\x99 Critical Mission Support Systems Continue to Lack Secure Configuration Settings\n\n          We found that NESDIS has not implemented the secure configuration settings control,\n          an essential aspect of securing an information system that, when appropriately\n          implemented, can effectively minimize cyber attacks. For example, attackers look for\n          easily exploitable default (unsecured) system configurations (e.g., extraneous software\n          installed and default passwords) that are often set for ease-of-deployment and ease-of-\n          use.\n\n          In order to implement secure configuration settings, each information system must\n          (1) define a set of secure configuration settings for each IT product, (2) implement the\n          configuration settings on all system components, (3) document approved deviations\n          from the mandatory configuration settings, and (4) monitor components for changes to\n          the established configuration settings.14 Despite secure configuration settings being a\n          required security control for more than six years, NESDIS\xe2\x80\x99 systems are only in the\n          beginning stages of implementing this critical control\xe2\x80\x99s requirements.\n\n          We found that\n\n               \xef\x82\xb7\t None of the systems have successfully fulfilled these requirements, and the secure\n                  configuration settings remain unimplemented. POES and GOES are in the process of\n                  defining secure baselines for the IT products in each system (the first\n                  requirement). SARSAT and ESPC are implementing the selected baselines and\n                  documenting deviations (the second and third requirements).\n\n               \xef\x82\xb7\t NESDIS has acquired an enterprise configuration settings monitoring tool (to meet the\n                  fourth implementation requirement), but its systems have not yet implemented secure\n                  configuration settings. NESDIS intends to deploy the tool enterprise-wide to\n                  monitor baselines within all systems\xe2\x80\x99 components. However, each system (and\n                  NESDIS as a whole) cannot effectively use the tool to monitor for changes until\n                  secure baselines are selected and implemented, and deviations are documented.\n\n14\n  National Institute of Standards and Technology, Computer Security Division Information Technology Laboratory, August 2009. Recommended\nSecurity Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53 Rev. 3. Gaithersburg, MD.\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                         13\n\x0cU.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n        Until NESDIS completely implements this critical control, assets central to its mission\n        will continue to operate in an unsecure, vulnerable state.\n\n    Recommendations\n\n    We recommend that NESDIS\xe2\x80\x99 Assistant Administrator and NOAA\xe2\x80\x99s Chief Information\n    Officer:\n\n        7.\t Determine a feasible remediation timeframe for applying patches to POES, GOES,\n            and ESPC.\n\n        8.\t Ensure that management gives appropriate priority to remediation of high-risk\n            vulnerabilities in the required timeframe. If remediation is not feasible, ensure that\n            vulnerabilities are documented and that compensating controls are implemented.\n\n        9.\t Ensure that information systems are compliant with all applicable remote access and\n            telework policies and that two-factor authentication is implemented.\n\n        10. Ensure that NESDIS\xe2\x80\x99 telework policy complies with Department policy concerning\n            the use of personal devices for remote access.\n\n        11. Implement the necessary security mechanisms to secure against remote access via\n            personal computers.\n\n        12. Ensure that appropriate attention is given to implementing required secure\n            configuration settings in a timely manner and continue the implementation by: (1)\n            establishing and documenting mandatory configuration settings; (2) implementing\n            these settings; (3) identifying, documenting, and approving deviations from\n            mandatory settings; and (4) monitoring components for changes to the implemented\n            settings.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                        14\n\x0cU.S. DEPARTMENT OF COMMERCE                                                                               OFFICE OF INSPECTOR GENERAL\n\n\n IV.\t      Improvements Are Needed to Provide Assurance That Independent\n           Security Control Assessments Are Sufficiently Rigorous\n\n     An independent security control assessor must evaluate the security controls implemented\n     on an information system prior to the organization placing the system into operation. These\n     independent assessments provide the authorizing official (AO)15 with an unbiased accounting\n     of the system\xe2\x80\x99s security posture, such as the implementation status of security controls. The\n     AO uses this information to ensure that the risks identified during the assessments are of an\n     acceptable level to allow the system to operate. Inadequate security control assessments\n     could misrepresent a system\xe2\x80\x99s security posture, giving the AO an inaccurate understanding\n     of the risks when granting an authorization to operate.\n\n     To meet the requirement for independent security assessments of its information systems,\n     NOAA procured the services of the FAA Enterprise Service Center, which is designated by\n     OMB as a certification and accreditation shared-services provider. We evaluated 12 critical\n     security control assessments16 on each of the five NWS systems, for a total of 60 controls,\n     to determine the quality of FAA\xe2\x80\x99s assessments. We found that 28 of 60 (47 percent) of the\n     control assessments have deficiencies and may not have provided the AO with an accurate\n     implementation status of the system\xe2\x80\x99s security controls.\n\n     Independent assessors did not conduct sufficiently rigorous assessments of critical\n     security controls. NOAA selected a designated certification and accreditation shared-\n     services provider with the expectation that the assessments would be sufficiently rigorous.\n     However, our review identified the following types of assessment deficiencies:\n\n           \xef\x82\xb7\t Assessment results lacked supporting evidence. Although the FAA assessors reported\n              that they performed appropriate tests of the security controls, there was no\n              evidence to support the assessment results. For example, assessors claimed that\n              components were configured to require appropriate password protections, but the\n              assessors did not provide any evidence that an assessment was conducted.\n\n           \xef\x82\xb7\t Evidence collected during the assessments contradicted the assessor\xe2\x80\x99s conclusion. The FAA\n              assessors asserted that controls were appropriately implemented, despite evidence\n              that directly contradicted these assertions. For example, the assessors concluded\n              that there was an established baseline of authorized software enforced on the\n              system, despite evidence collected by the assessors showing the presence of\n              unauthorized software.\n\n           \xef\x82\xb7\t Not all requirements of the security control were assessed. Regularly scanning system\n              components for vulnerabilities is a key security requirement. Scans must be\n              conducted with the appropriate credentials, which provide more complete\n              vulnerability information. For example, the FAA assessors concluded the control was\n15\n   The authorizing official is a senior official or executive with the authority to formally assume responsibility for operating an information system\nat an acceptable level of risk to organizational operations and assets, individuals, other organizations, and the nation. Authorizing officials\ntypically have budgetary oversight for an information system or are responsible for the mission and/or business operations supported by the\nsystem.\n16\n   These 12 security controls are a sub-set of the NIST 800-53 controls, which we selected as critical to securing an information system.\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                                                                       15\n\x0cU.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n             implemented, but they had an insufficient basis for reaching this conclusion, as they\n             had not verified that NWS staff had conducted credentialed scans.\n\n        \xef\x82\xb7\t Not all types of IT products in a system were assessed. To ensure that security controls\n           are appropriately implemented on a system, assessors should assess each type of IT\n           product in the information system. The FAA assessors, however, only reviewed\n           certain IT products in a given NWS system\xe2\x80\x94such as Microsoft Windows and Red\n           Hat Linux\xe2\x80\x94and did not assess others, such as Cisco IOS or databases. Thus, the\n           assessors gained an incomplete picture of the risks within each system, and the\n           implementation status of controls on these IT products remains unknown.\n\n    NOAA would benefit from incorporating quality control measures into its review\n    process. Currently, to ensure that authorization packages are complete and accurate prior\n    to the AO\xe2\x80\x99s review, NOAA\xe2\x80\x99s OCIO staff conducts a compliance review. However, the\n    review does not check the quality of the independent security control assessments; instead,\n    it only ensures that the package has the required documents.\n\n    While NOAA\xe2\x80\x99s selection of a designated shared-service provider should have ensured its\n    independent assessments were sufficiently rigorous, our findings indicate that NOAA would\n    benefit from incorporating quality control measures into its review process. With these\n    measures, the authorizing official has more assurance that the authorization package\n    received is sufficient for an informed, risk-based decision.\n\n    Recommendation\n\n    We recommend that NOAA\xe2\x80\x99s Chief Information Officer:\n\n        13. Develop a quality control process that provides better assurance that security\n            controls are appropriately assessed before the authorization package is assembled\n            and submitted to the authorizing official.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                        16\n\x0cU.S. DEPARTMENT OF COMMERCE                                             OFFICE OF INSPECTOR GENERAL\n\n\nSummary of Agency and OIG Comments\n\nNOAA Response\n\nIn response to our draft report, NOAA generally concurred with the findings and\nrecommendations. NOAA indicated that it had already implemented recommendation 3, and\npartially implemented recommendation 7. NOAA also included suggested factual and technical\nchanges to our findings.\n\nNOAA stated that it implemented recommendation 3 by requiring that all NESDIS systems\nannually complete an authorization with independent security controls and risk assessments,\nand that both interconnected systems have a current authorization. NOAA also stated it has\nimplemented recommendation 7 for GOES, and planned to implement for POES and ESPC.\n\nNOAA took issue with some of the statements in findings I and III of the report, asking those\nto be revised. The specific issues NOAA highlighted are as follows:\n    Issue 1:     The statement that NOAA management did not factor risks associated with the\n                 POES-DMSP interconnection, when making the decision to authorize POES.\n    Issue 2:     The statement that DMSP is operating with significant deficiencies because the\n                 assessments referenced by the OIG occurred in 2013.\n    Issue 3:     The use of the statement \xe2\x80\x9cwill immediately\xe2\x80\x9d inferred that NOAA was\n                 deliberately choosing not to correct significant deficiencies.\n    Issue 4:     The statement that NOAA could not appropriately characterize the POES-\n                 DMSP interconnection as a medium risk.\n    Issue 5:     The 2013 incident discussed in the finding III. B. was out of the scope of this\n                 audit because it was not directly related to the systems we assessed.\n\nNOAA\xe2\x80\x99s response is reproduced in its entirety in appendix C of this report.\n\nOIG Comments\n\nWith regard to recommendation 3, NOAA\xe2\x80\x99s implementation is partially responsive to our\nrecommendation. Our recommendation asks NOAA to require that all systems, even those\nowned by other agencies, complete control assessments and be authorized to operate, before\nestablishing a connection.\n\nWhile we made some modifications to our report based on NOAA\xe2\x80\x99s response in issues 2 and\n3, we stand by the statements regarding issues 1, 4, and 5, and explain our rationale accordingly:\n\n    Issue 1:\t    The statement was referencing the risk associated with DMSP\xe2\x80\x99s interconnection\n                 with another high-impact NESDIS system that is connected to the Internet. This\n                 risk was not specifically conveyed in POES\xe2\x80\x99s authorization package to NOAA\n                 management.\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                      17\n\x0cU.S. DEPARTMENT OF COMMERCE                                            OFFICE OF INSPECTOR GENERAL\n\n                 The authorization package is used by authorizing officials to make the risk-based\n                 decision in allowing a system to operate. Considering the close interweaving of\n                 POES and DMSP, the risk of interconnection between DMSP and the other\n                 NESDIS information system, which has a connection to the Internet, should have\n                 been specifically included in the authorization package.\n\n    Issue 4:\t    Regarding the POES-DMSP interconnection, NOAA did not consider the\n                 security risks within DMSP when determining the risk level for the\n                 interconnection, because the security posture of DMSP is unknown.\n\n                 Currently, DMSP and POES continue to share domain controllers, which provide\n                 central account management and authentication services for these two systems.\n                 Sharing these critical services provide an easy way for malicious attackers to\n                 attack POES through DMSP, by bypassing nearly all internal protection\n                 mechanisms such as firewalls and user access controls.\n\n                 We also believe that current security controls in place within POES will not\n                 effectively protect POES from attacks originating from DMSP. NOAA\xe2\x80\x99s own risk\n                 assessment report on POES, dated March 18, 2014, stated \xe2\x80\x9cthere is no\n                 protection between DMSP and POES and the boundary is not properly\n                 documented.\xe2\x80\x9d\n\n    Issue 5:\t    The incident mentioned in the report is very relevant to our finding related to\n                 remote access. As stated in the report, \xe2\x80\x9cthis incident highlights the risk of using\n                 personal computers to remotely access government information systems, as well\n                 as hindrances to incident response efforts.\xe2\x80\x9d However, we acknowledge that the\n                 incident did not occur on one of the systems that we focused on for our review.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                     18\n\x0cU.S. DEPARTMENT OF COMMERCE                                          OFFICE OF INSPECTOR GENERAL\n\n\nAppendix A: Objectives, Scope, and\nMethodology\nOur audit objective was to assess the effectiveness of NOAA\xe2\x80\x99s information security program by\ndetermining whether key security measures adequately protect NOAA\xe2\x80\x99s systems. To do so,\nwe:\n\n    \xef\x82\xb7\t Assessed a subset of security controls on information system components\n\n    \xef\x82\xb7\t Reviewed system-related artifacts, including policy and procedures, planning documents,\n       and other material supporting the security authorization process\n\n    \xef\x82\xb7\t Interviewed operating unit personnel, including system owners, IT security officers, IT\n       administrators, and organizational directors and administrators\n\nWe reviewed NOAA\xe2\x80\x99s compliance with the following applicable internal controls, provisions of\nlaw, regulation, and mandatory guidance:\n\n    \xef\x82\xb7\t The Federal Information Security Management Act of 2002\n\n    \xef\x82\xb7\t IT Security Program Policy and Minimum Implementation Standards, U.S. Department of\n       Commerce, introduced by the Chief Information Officer on January 9, 2009, and\n       applicable Commerce Information Technology Requirements\n\n    \xef\x82\xb7\t NIST Federal Information Processing Standards Publications:\n\n             o\t 199, Standards for Security Categorization of Federal Information and\n                Information Systems\n\n             o\t 200, Minimum Security Requirements for Federal Information and Information\n                Systems\n\n    \xef\x82\xb7\t NIST Special Publications:\n\n             o\t 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal\n                Information Systems: A Security Life Cycle Approach\n\n             o\t 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems\n                and Organizations\n\n             o\t 800-53 A Rev. 1, Guide for Assessing the Security Controls in Federal\n                Information Systems and Organizations, Building Effective Security Assessment\n                Plans\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                    19\n\x0cU.S. DEPARTMENT OF COMMERCE                                      OFFICE OF INSPECTOR GENERAL\n\nWe conducted our field work from March 2013 to December 2013. We performed this audit\nunder the authority of the Inspector General Act of 1978, as amended, and Department\nOrganization Order 10-13, dated April 26, 2013, and in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions.\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                              20\n\x0cU.S. DEPARTMENT OF COMMERCE                                                 OFFICE OF INSPECTOR GENERAL\n\n\nAppendix B: List of Acronyms and\nAbbreviations\n Acronym                                                          Definition\n\n AO                             Authorizing Official\n ATO                            Authorization to Operate\n AWC                            Aviation Weather Center\n Cisco IOS                      Cisco Internetwork Operating System\n DMSP                           Defense Meteorological Satellite Program\n ESPC                           Environmental Satellite Processing Center\n FAA                            Federal Aviation Administration\n FISMA                          The Federal Information Security Management Act of 2002\n GOES                           Geostationary Operational Environmental Satellites\n GSLEP                          Ground Service Life Extension Program\n IT                             Information Technology\n NCEP                           National Centers for Environmental Prediction\n NESDIS                         National Environmental Satellite, Data, and Information Service\n NHC                            National Hurricane Center\n NIST                           National Institute for Standards and Technology\n NOAA                           National Oceanic and Atmospheric Administration\n NWS                            National Weather Service\n OCIO                           Office of the Chief Information Officer\n POES                           Polar-orbiting Operational Environmental Satellites\n SARSAT                         Search and Rescue Satellite Aided Tracking\n SPC                            Storm Prediction Center\n SWPC                           Space Weather Prediction Center\n USAF                           U.S. Air Force\n USB                            Universal Serial Bus\n Vul                            Vulnerabilities\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                                                       21\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\nAppendix C: Agency Response\n\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           22\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           23\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           24\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           25\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           26\n\x0cU.S. DEPARTMENT OF COMMERCE     OFFICE OF INSPECTOR GENERAL\n\n\n\n\nFINAL REPORT NO. OIG-14-025-A                           27\n\x0cU.S. DEPARTMENT OF COMMERCE                    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                                011200000163\n\n\n\nFINAL REPORT NO. OIG-14-025-A                                          28\n\x0c"